cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2717
Views
22
Helpful
24
Replies

Cisco 2911 ISR Firewall

Jayson Cruz
Level 1
Level 1

Hi everyone,

I would like to inquire on how to deploy Cisco 2911 ISR routers to act as Firewall to protect segments of my network. We have more than 10 units of the said router on our branch and i would like to ask on how i can make it a Firewall, it is running on IOS with sec/k9 license.

Hope that anyone can help me with my problem.

Thank you very much in advance

Best Regards,

Jayson Cruz

24 Replies 24

Andrew Phirsov
Level 7
Level 7

ZBPW (ZFW) is the answer. Cisco docs will help you on how to work with the feature.

Hi Andrew,

Thank you for your reply. If it is not too much to ask may i ask for your help in having a copy/link on such cisco documents? I am currently a newbie in the field of firewalling, such as this one Cisco 2911 ISR with sec/k9 license.

Thank you very much and your assistance is very much appreciated.

Best Regards,

Jayson

Hi Jason,

Just want to add some links really useful (the one mentioning the self-zone was created by me)

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

https://supportforums.cisco.com/docs/DOC-27487

https://supportforums.cisco.com/docs/DOC-34539

If you speak spanish on the link below there's a blog that talks about ZBFW in detail

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jayson Cruz
Level 1
Level 1

Hi Julio,

Thank you very much for your support.

Best Regards,
Jayson


Sent from Cisco Technical Support Android App

Hello,

Sure, any other question u have?

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jayson Cruz
Level 1
Level 1

Hello Julio,

Thank you for your answer, I am starting to be enlightened with this topic.

Yes I have another question, may I ask if I need to implement zone pairs when doing zone base firewall between different sites?


Sent from Cisco Technical Support Android App

Hello Jason,

No, ZBFW is independent on each site,

So if you decide to implement ZBFW on 2 different site on 2 different routers,

You will need to set the zone-pairs between the interfaces only on the SAME router,

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jayson Cruz
Level 1
Level 1

Hello my friend Julio,

Thank you for all your inputs, it has been a great learning experience for me. I wonder if zone based firewall can ba configured for HA (high availability) in active active mode.

I just recently found out that the requirement is to configure IOS FW on two routers connected via iBGP with each router has different eBGP peering and redundant to each other.

Oh and by the way, I just try your blog/forum however I can't understand what's written on it since it was not in English, but nonetheless I think it is very much educational.

Best Regards,
Jayson


Sent from Cisco Technical Support Android App

Hello Jayson,

Here is a link for the failover cluster for ZBFW (It's supported)

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/sec-data-zbf-ha.html

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jayson Cruz
Level 1
Level 1

Hi Julio,

My apologies, but can I assign different zones to different subinterfaces?

I'm so sorry for causing you so much trouble.

Best regards,
Jayson


Sent from Cisco Technical Support Android App

Hello,

Yes, you can,

Do not worry Jayson, Here to help

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jayson Cruz
Level 1
Level 1

Hello,

What will happen if some of the subinterfaces are not remembered to a zone. Can it still route traffic outside the service provider port configured to be in public zone?

Thank you very much!

Best regards,
Jayson


Sent from Cisco Technical Support Android App

Hello,

Traffic from an interface that does not belong to a zone to an interface that belongs to one will not be allowed ( and backwards)

So if you will set the ISP interface into a zone, the sub-interface must be placed into one,

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jayson Cruz
Level 1
Level 1

Hi Julio,

A good day its me again. My apologies to bother you again. May i ask for your advice regarding the set-up of my IOS Zone-Based Firewall via 2911 routers.

I have 2 2911 beanch routers with bgp peering on a WAN links to reach the branch. On the LAN interface of the said Branch Routers are the LAN segments configured via subinterface command and running HSRP with the other branch router.

How would i implement Zone-Based Firewall with HA without having drops because of asymetric routing. Im sorry since the configuration guide that you have sent me as so many options and configurations that i tend to be confusing on which one is another option and which one is prt of the previous procedure. I hope you could help me with this one as i need to implement it within this week.

Thanks you very much and I'm sorry for bothering you.

Thank you very much!

Jayson


Sent from Cisco Technical Support Android App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: